Contents

Apache, SuExec and virtual Hosts

This document describes how to use Apache's SuExec module in order to have virtual hosts running as a unprivileged user. Generally it's good practice not to let any kind of webspace have superuser privileges like this rather brutal PHP example shows:

You get the point, do you? To prevent this, never let any virtual host have write access anywhere but in its own home directory or DocumentRoot. Unfortunately this method requires Apache to run as superuser in order to be able to become another user but it's not a big deal since you do not need to run in the default DocumentRoot as superuser too.

You should also consider using SuExec if you intend to have several FTP accounts pointing to those webspaces which need write permissions while the files still can be read by Apache.

Prerequisites

you should be familiar with basic configuration of Apache

especially virtual hosts

superuser access to the target box

knowledge about adding users

can work with pacman

Adding SuExec module to Apache

load the SuExec module in /etc/httpd/conf/httpd.conf like this

LoadModule suexec_module lib/apache/mod_suexec.so

make sure Apache's default DocumentRoot does not run as superuser either!

User nobody
Group nobody

Setting up a virtual Host to use SuExec

One way to do it is directly in /etc/httpd/conf/httpd.conf but I suggest to use a seperate file if you intend to create more than just a couple of virtual hosts. Either way, a virtual host that is supposed to use SuExec may look something like this:

"Disabling" default DocumentRoot

To further stricten your setup you can disable the default DocumentRoot in order to not have Apache execute anything as the superuser itself runs as. This procedure does not really disable it, rather points it somewhere where it's not remotely accessable anymore. It can be easily acchieved by replacing your default ServerName with the following:

ServerName localhost:80

Finishing up

Like everytime you change default configuration parameters you need to restart Apache in order to make them have any effect.